| 1 |
On Mon, Nov 30, 2009 at 12:30:51PM +0100, Antoni Grzymala wrote: |
| 2 |
> I reckon that missing GPG infrastructure is one of the greatest problems |
| 3 |
> of the Gentoo distribution esp. regarding serious corporate and academic |
| 4 |
> deployments. |
| 5 |
> |
| 6 |
> I can devote some time to helping with the matter. |
| 7 |
I would certainly like to get that GLEP series completed and out there. |
| 8 |
|
| 9 |
There are still two GLEPs in the series that have not yet made it to |
| 10 |
draft status: |
| 11 |
http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/02-developer-process-security |
| 12 |
http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/03-gnupg-policies-and-handling |
| 13 |
|
| 14 |
However the main content of GLEPS 58-61 IS ready for the council to |
| 15 |
approve, and are NOT blocking on the above two items. |
| 16 |
|
| 17 |
As such, I would like to present GLEPS 58,59,60,61 for final review, and |
| 18 |
for the council to vote on their approval during the January meeting. |
| 19 |
|
| 20 |
I'm going to summarize them here: |
| 21 |
GLEP58: Security of distribution ... MetaManifest |
| 22 |
------------------------------------------------- |
| 23 |
- covers all Manifests with a infra-generated parent Manifest. |
| 24 |
- required for end-to-end validation. |
| 25 |
- prevents certain package manager attacks. |
| 26 |
- NO day-to-day developer actions required. |
| 27 |
|
| 28 |
GLEP59: Manifest2 hash policies and security implications |
| 29 |
--------------------------------------------------------- |
| 30 |
- Add SHA512 to all Manifest files. |
| 31 |
- Schedule removal of SHA1, MD5, RMD160 for 6-18 months after SHA512 |
| 32 |
addition. |
| 33 |
- Be prepared to add the NIST hash contest candidates/winner. |
| 34 |
|
| 35 |
GLEP60: Manifest2 filetypes |
| 36 |
--------------------------- |
| 37 |
(Has one TODO that needs clarification). |
| 38 |
- Breaks down the Manifest2 filetypes into INFOrmational and CRITical. |
| 39 |
- If the package manager is being strict, then INFO filetypes are |
| 40 |
treated as CRIT filetypes. |
| 41 |
- INFO filetypes merely cause a warning on absence. |
| 42 |
- CRIT filetypes may trigger a delayed OR immediate failure of absence. |
| 43 |
|
| 44 |
GLEP61: Manifest2 compression |
| 45 |
----------------------------- |
| 46 |
- Disk space optimization for MetaManifest from GLEP58. |
| 47 |
|
| 48 |
There is a prototype of the MetaManifest code here: |
| 49 |
http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/prototype/ |
| 50 |
It worked on Portage 2 years ago, but I haven't run it since then. |
| 51 |
|
| 52 |
-- |
| 53 |
Robin Hugh Johnson |
| 54 |
Gentoo Linux: Developer, Trustee & Infrastructure Lead |
| 55 |
E-Mail : robbat2@g.o |
| 56 |
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 |
Archives